The eight-digit BIN mandate arrived recently, regardless of whether the bankcard industry was prepared for it. The changes brought forward by this seemingly simple change are many more far-reaching than you might realize. This new BIN format affects different areas of the industry in different ways, but to successfully navigate it, you should be aware of these individual impacts.
For that purpose, this article will reacquaint you with the purpose of BINs, the eight-digit BIN mandate, and the impacts this new format will have across the bankcard industry.
What Is a BIN?
BIN, which stands for Bank Identification Number, refers to the first set of numbers that appear on payment cards. This is a four-to-six-digit number used to identify, among other things, the institution that issued the card. BINs are essential for linking charge card transactions to their issuer.
BIN ranges are essential to the payment process since they allow merchants to accept numerous forms of payment swiftly and assist merchants in evaluating their card transactions. From the BIN range of a payment card, merchants can decide additional vital information, such as their card mix, which can assist them in comprehending the cost impact of interchange based on the card kinds they accept. This gives value since it permits in-depth cost analysis and enables merchants to conduct real-time analytics using their BIN ranges to spot theft or fraud and origination.
Although they can range from 8 to 19 digits, the primary account number on most credit and debit cards contains 16 digits. The International Organization for Standardization has established this as the norm (or ISO).
This upgrade will not affect the ISO-standardized 16-digit card number. Thus, issuers will not be required to replace the account numbers of current cardholders.
Instead, the ISO has authorized a format that reassigns two of the cardholder’s primary account number’s existing numbers (or PAN). Two digits from the cardholder’s account identity will be moved over and added to the BIN code.
The 8 Digit BIN Mandate
As the banking industry expands and demand for BINs grows, it has become necessary to extend the BINs from six to eight digits. Tokenization requires multiple PANs for a single account, so its emergence has also affected BIN demand.
The International Organization for Standardization developed an eight-digit BIN standard in 2017 (ISO/IEC 7812–1, Identification cards — Issuer identification — Part 1: Numbering system). With the adoption of this new standard, payment card companies will be guaranteed a sufficient supply of BINs globally.
As per the new ISO standard, MasterCard and Visa have mandated that their payment network handles eight-digit BINs starting in April 2022:
Mastercard: Upon request, Mastercard will begin assigning 8-digit BINs to issuers beginning in April 2022. Mastercard mandates that all acquirers and their third-party processors (TPPs) adopt 11-digit account ranges and 8-digit BIN standards by April 2022 to ensure ecosystem preparedness. It is the responsibility of acquirers to ensure that their payment facilitators, payment gateways, merchants, third-party suppliers, and other service providers are prepared for the 8-digit BIN standard and account range processing by April 2022.
Visa: With the release of VisaNet Business Enhancements in April 2022, only 8-digit BINs will be issued by Visa for new requests, with 6-digit BINs no longer being issued. All acquirers and processors must support a new 8-digit BIN standard adopted by the International Organization for Standardization.
How Will This Impact Merchants?
The new format will have few short-term effects on the majority of merchants. However, acquirers and payment processors will bear most of the burden of adapting to the new BINs. Compliance with the 8-digit system will be required by the deadline.
Still, there are exceptions to this rule. Not all merchants employ bank identification numbers in the same manner. BINs are required to ensure that payments and issuers are matched. However, they can be utilized in different ways, such as:
- Validating buyers using geolocation
- Identifying transactions involved in disputes
- Detailed data reporting
and analytics - Determining fraud scoring
and prevention - Administrating discount and loyalty programs
All of these capabilities are optional, and most merchants do not rely on them. However, you may have BIN-based processes maintained internally—for example, transaction routing or fraud reporting. If so, you must confirm that all affected systems have been upgraded to function with the new model.
Other Impacts of the 8-Digit BIN Mandate
Merchants are not the only ones impacted by this change. Far from it. The following list includes several other instances of changes brought up by the eight-digit BIN mandate:
Existing Six-Digit BINs
Six-digit BINs will become eight-digits starting in April 2022.
The ISO update will enable issuers to increase their existing six-digit BINs to eight new BINs for business portfolio management. At any time after April 2022, they will be able to issue cards with eight-digit BINs.
As part of the ISO update, merchants, acquirers, and processors must continue supporting both six- and eight-digit BINs.
Mastercard issuers can use their existing data structure to manage their portfolios. From April 2022, however, six-digit BINs will be replaced with 100 eight-digit BINs.
Visa will consider six-digit BINs legacy in April 2022, and issuers can choose to expand any or all of their existing six-digit issuing BINs to eight digits. In general, Visa urges issuers to transition all present issuing BINs to the eight-digit ISO as soon as possible; however, issuers can determine their timeframe for the expansion.
Acquiring BINs
The acquiring BIN is the same as the issuing BIN because it identifies a bank that acquires a payment. Acquirers are identified throughout the payment process, including authentication, authorization, clearing, and settlement. The ISO BINs that acquirers have access to are the same ones that issuers use.
Using ISO BINs for acquisitions will cease to be supported beginning in April 2022. As a result, the acquiring identifiers will have a new classification and rename. Consequently, the ISO update would not affect the existing BINs allocated to acquirers.
Additionally, the BINs that acquirers had assigned will be freed up by separating acquiring from ISO BINs. Furthermore, each of these BINs will be multiplied by 100 to account for the switch from 6 to 8 digits. Therefore, more BINs will be available to the payment sector.
Acquirer Reference IDs will no longer be regarded as Mastercard ISO BINs starting in April 2022. Instead, Acquirer Reference IDs will remain six-digit numeric identifiers.
In contrast, Visa will stop using ISO BINs for acquiring purposes. Due to this, all numbers used for acquisitions will continue to contain six digits. To avoid confusion with ISO’s BINs for issuance, Visa renames these numbers Acquiring Identifiers.
Primary Account Number (PAN)
Identifies the cardholder and his account. This number is the primary account number (PAN). The vast majority of credit and debit cards are issued with sixteen-digit numbers, despite the fact that ISO-compliant credit and debit card numbers can range from 8 to 19 digits.
Fortunately, when the regulation is enacted, PANs will remain sixteen digits long. As the PAN length remains unchanged, existing cards need not be renewed.
The sub-field to identify a cardholder’s account on the new eight-digit BIN cards will be lowered by two digits. By adding these two digits, the BIN will become an eight-digit number.
There are four subfields:
- BIN: The Bank Identification Number (BIN) identifies the issuing institution. For example, Wells Fargo Bank’s BIN for Visa is 407110. This organization is also referred to as the card issuer.
- MII (Major Industry Identifier): The first digit of the INN, ranging from 0 to 9, indicates the issuer’s primary industry. PANs beginning with “1” are issued by airlines, “4” is assigned to the Visa network, and “5” is assigned to the Mastercard network.
- Account Number: The number that identifies a cardholder’s account.
- Check Digit: Also known as Validator Digit. A number based on the Luhn method is used to verify the card number’s validity. The validator digit may appear in any of the last four positions of the card number, though it is commonly located in the last position.
Mastercard Account Ranges
MasterCard introduced account ranges in 2017 to help issuers make the most of their BINs. An account range consists of the first eleven digits of a PAN, including the six-digit BIN. Account ranges are used as a segmentation method to support distinct markets, product codes, and other parameters.
BINs will be expanded to eight digits by ISO, but account ranges will remain at eleven digits. It is possible to smoothly transition from a six-digit BIN to an eight-digit one with a uniform account range length. Unfortunately, this reduces the usable range from five to three numbers.
You can divide BINs into several items by using account ranges. There can be differences between product families based on local norms, regulations, and regional practices.
Issuers can use a BIN to define the following account ranges:
- Mastercard has distinct product codes within a product family (representing each area)
- Mastercard’s various nations of issuance (where central issuing is permitted)
- Different loyalty offerings and benefits
BIN Databases
In addition to the new eight-digit BINs, the old BINs will also be recognized. Each digit will be extended by 00–99. issuers may continue to use their six-digit BINs for portfolio management. The six-digit BIN will be used to identify issuers that continue to use the legacy BIN.
To handle multiple business portfolios, an issuer can divide its BIN into sub-BIN ranges if it wishes to expand its BIN and use the eight-digit BIN. Specifically, the legacy BINs would be replaced in the database with the current eight-digit numbers.
PCI DSS Compliance
The display and storage of PANs is governed by the following PCI Data Security Standard (PCI DSS) requirements:
To meet requirement 3.3, PANs must be masked when presented (the first six and last four digits of the PAN can be revealed), such that only individuals with a valid business need can see more than the first six/last four digits of the PAN. The PAN must be made unreadable by any of the following methods, wherever it may be stored (including on portable digital media, backup media, and in logs):
- It cannot be replaced by hashing (the truncated segment of PAN cannot be replaced).
- Key management and cryptography with strong cryptography.
- One-way cryptographic hashes (the hash must be of the entire PAN).
- Tokens and pads for indexing (pads must be securely stored).
Display of PANs
To perform a particular business function, masking should always ensure that only the minimum number of digits are displayed. For example, if only the last four digits are necessary to perform a business function, mask the PAN so that only the last four digits are visible to those executing the operation. It is the intent of Requirement 3.3 to display no more than the “first six and last four digits” of a PAN. However, an organization can display additional digits, if necessary, but only if a business justification is provided.
Storage of PANs
As a result of the eight-digit BIN extension rule, the maximum number of PAN digits that can be truncated is “first six and any other four.” Due to the higher risk of a full PAN reconstruction associated with removing fewer digits while saving the PAN, truncation cannot be used to satisfy Requirement 3.4 if an entity needs to keep more than the “first six and any other four” digits. PANs must be rendered unreadable wherever they are stored by using one of the other three techniques (such as encryption, hashing, or tokenization).
Visa recommends that merchants engage with a PCI QSA trained in PCI DSS regulations. The QSA is better positioned to provide merchants with guidance on achieving compliance based on their existing controls. This is especially important for merchants unfamiliar with permitted technology procedures.
What Security Consequences Do 8-Digit BINs Have?
The security of credit card data is maintained and evaluated in accordance with PCI-DSS standards. Strict merchant compliance with the PCI-DSS standards is required to protect card numbers during transactions.
That is a positive thing. Over time, however, various payment procedures based on cards with a six-digit BIN were created around this data protection system. Possessing a BIN code with eight digits may pose security problems.
The merchant can store partial cardholder data, but the whole credit card number remains obscured. PCI-DSS permits using the first six and last four digits of the primary account number for transaction routing. The retailer may also store them without encryption procedures.
For the foreseeable future, however, both 6-digit and 8-digit BINs will be used concurrently. Thus, merchant and processor systems must be capable of processing both BIN types.
Not usually can the two BIN types be shortened in the same manner. If your system is configured for an 8-digit BIN, but you handle a 6-digit BIN card, you may expose sensitive cardholder information in the event of a data breach.
What Must Businesses Do?
So, what modifications are necessary to ensure compliance? This is dependent on how widely BINs are utilized in your processing.
You must first do a complete examination of the entire organization. You will almost need to alter any processing jobs dependent on BINs or maintained internally. If you utilize third-party acquirers or other solutions, you must speak with your supplier regarding compliance with the new system.
Conclusion
The effects on the bank card industry from the shift to eight-digit BINs are far-reaching. While many processors, banks, and acquirers have already adapted to this new mandate, we have yet to see what other changes could arise from this situation.
However, above all, it’s crucial that your operations meet this mandate, as failing to do so could have dire repercussions. If you are unsure how to proceed, get in touch with your card processor.
